March 25, 2025 By Sergiu Gatlan
CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately.
As the company also explained in an email sent to customers on Friday (seen by BleepingComputer), the security flaw enables attackers to gain unauthenticated access to unpatched servers if they are exposed on the Internet over HTTP(S).
"Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon," the company warned.
"The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access. The vulnerability is mitigated If you have the DMZ feature of CrushFTP in place."